It wouldn't completely solve the problem (due to function pointers), but it would make it much harder.
And, of course, having all user input fully validated and verified and limited would also do that -- you can't trash the stack in that case.
]]>And which is also why spam is an ongoing problem, even if it's one we've rendered mostly invisible to the end users these days.
]]>That definition includes malware arriving by email.
]]>Assuming you really want to know, or others are curious: because the web servers were initially low-profile services, not considered terribly important. And the technologies involved were still changing often, meaning frequent software, configuration, and content changes, and, as a result, frequent reboots. The main domain (e.g., example.com) may not have had any actual A records, only NS and MX records, and so it would not have been possible to put a web server there at all. And eventually, the www.name.com template became so common that you could just enter name into a web browser, and it would try www.name.com first.
DNS SRV records are starting to be used -- but at the time in question, nobody had ever used them (I'm not even sure when they were introduced).
Isn't internet history fun?
]]>We have other, automated, spam detection measures that don't annoy the regular posters.
]]>Worse than that, I think -- it'd essentially amount to a Great Firewall for every country. And as much as I dislike spam (and I dislike spam quite a bit), that would worry me.
]]>Your posting led me to try to Do The Right Thing and run Firefox with NoScript. I say again, OMG.
Trying to do this on the modern web is a really horrible experience. You get halfway through your interaction with the airline, and it goes tit's up, you finish typing up the comment form, and the Captcha fails, making you start all over (or just give up), gethuman.org doesn't work, and on, and on, and on...
This seems like an extremely good illustration of where we really went wrong. Trying to be secure is just too crippling.
And even if you are willing to be crippled, the tools are terrible. I mean, I know the NoScript folks are trying hard, but let's face it, the feedback they give is nearest thing to useless. Something goes pear-shaped, so you click on their little bar, and what's the choice you get?
a. Trust these guys forever
b. Trust these guys just once (no condom just this time...)
c. Don't trust these guys.
All NoScript really tells me is how badly I'm crippled if I don't allow the script. It doesn't let me evaluate threat versus payoff.
There isn't a bloody clue what you are trusting the JavaScript in question to do. All you have to go on is the name of the ostensible source. Even then, the emphasis should probably be on ostensible. Let's say you trust the intentions of the people who wrote the site. Unless they are Google or one of a handful of others, why should you trust that their intentions will carry through? Did they really write all that JavaScript themselves? If so, are they competent to write it securely? If not, what's the provenance of this software? What's worst is knowing that the airline's competence isn't to be trusted (just by interacting with their website), but what choice does one have?
I have a postgraduate degree in Computer Science, and I can't make any practical use of the information NoScript gives me. It's like having a screening test for a disease for which there is no treatment. All it can do is make you miserable. And I'm willing to bet that NoScript is better than just about any other JavaScript blocker out there.
]]>